BlackBerry Releases Guidance on OpenSSL Heartbleed Vulnerability

BlackBerry has finally gotten on the ball about the Heartbleed vulnerability in OpenSSL that is causing chaos around the world. We gave you BlackBerry’s first statement right after the news broke and now we have the official advisory. BlackBerry has confirmed that most BlackBerry products are not vulnerable to the OpenSSL bug. Specifically they have confirmed that BlackBerry 10 and legacy smartphones, BlackBerry Enterprise Server 5, and BlackBerry Enterprise Service 10 are all not vulnerable. The only applications that are potentially vulnerable are:

BBM for iOS and Android

Secure Work Space for iOS and Android

BlackBerry Link for Windows

BlackBerry Link for Mac OS

BlackBerry Link is not a big touchpoint since it is not regularly exposed directly to the internet to be exploited by hackers. BBM for iOS and Android on the other hand is a different story and it will be interesting to see what they do about it especially since BlackBerry says there are no mitigations currently for the vulnerability.

Check out the details below:

BlackBerry response to OpenSSL “Heartbleed” vulnerability

This security notice addresses the OpenSSL® vulnerability that was announced on April 7, 2014. BlackBerry® customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry® smartphones, BlackBerry® Enterprise Server 5 and BlackBerry® Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. BlackBerry is diligently working to investigate the vulnerability, resolve the related issues as quickly as possible, and communicate the findings and resolution to our customers.

Who should read this notice?

BlackBerry smartphone users

BBM™ for iOS and Android users

Secure Work Space for iOS and Android™ users

IT administrators who deploy BlackBerry smartphones, BlackBerry Enterprise Server, BlackBerry Enterprise Service, or Secure Work Space for iOS and Android in an enterprise

More Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.

When will BlackBerry fix the BlackBerry products affected by the OpenSSL heartbeat extension read overflow vulnerability?Most BlackBerry products, including BlackBerry Enterprise Service 10, BlackBerry Enterprise Server 5, and BlackBerry smartphones, are not affected by the vulnerability and no fix is required. For those products that are affected, we are working to determine the full impact of the issue and confirm the best approach for protecting customers.

When will BlackBerry provide more updates about this issue? BlackBerry may provide further updates as needed while our ongoing investigation continues. This notice will also be updated when the affected BlackBerry products have been fixed.

BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.

The OpenSSL heartbeat extension read overflow is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows an attacker to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This issue was addressed in OpenSSL 1.0.1g and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2014-0160.

Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

Secure Work Space There are no mitigations for this vulnerability for Secure Work Space for iOS and Android.

BBM on Android There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit.

BBM on iOS There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit.

BlackBerry Link This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems.

Workarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack.

There are no workarounds for this vulnerability for BBM on iOS and Android and Secure Work Space for Android.

BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.

More Information

What is OpenSSL?OpenSSL is an open-source implementation of the SSL and TLS protocols. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

What is the OpenSSL “Heartbleed” vulnerability?The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. This issue was addressed in OpenSSL 1.0.1g.